Are we talking about the right things?

I am in Qatar at the moment at the Doha Information Security Conference. They actually have a very interesting setup as they only have very short presentations (about 5-10 minutes) of approx. 2 people and from there on they are working with a panel discussion on the topic during the rest of the hour. As there are about 100 pretty active people (which is a lot in Qatar), the format is very interactive and attractive.

Today, there was one session on the ISO standards. We had a very good discussion on them and then one of the participants raised a very good point: He stated that he was participating in a lot of events. A lot of people are talking about Risk Management, writing pragmatic Security Policies etc. but nobody actually tells him where to start and how to do it.

Is this really true (I did not do it in this short presentation)? We usually say that the policy and the project have to be adapted to the company. This is definitely true but is the approach so different? When I was working at PricewaterhouseCoopers, the approach we took was normally more or less the same (more more than less J). So, why do we not give better guidance to the people on how to do it?

Do you give guidance normally (talking at events, not doing consultancy J)?

Roger